Many organizations now store more sensitive data and assets in the cloud than on-premises – and attackers have taken notice. Organizations need to know what threats attackers pose in the cloud. One way to stay ahead of potential attacks is to use cloud threat intelligence.
Threat intelligence involves collecting, classifying, and exploiting knowledge about adversaries. Teams collect security intelligence data from a variety of sources, including logs, security controls, and external threat information feeds, and then analyze that data to mitigate risks.
As the cloud becomes more ubiquitous, it must become an integral part of the threat intelligence process. Security engineering and operations teams must devote time and resources to developing, collecting, and implementing cloud-specific threat intelligence.
Organizations can collect cloud-specific threat intelligence from several third-party sources, including cloud service providers (CSPs), threat intelligence providers, and managed security providers.
Strategic and operational cloud threat intelligence
Security teams need to develop strategic and operational threat intelligence. Strategic threat intelligence involves executives and non-technical stakeholders who shape risk management decisions.
Examples of strategic cloud threat intelligence include:
Current attack trends and campaigns targeting an existing service provider, such as the Chinese-sponsored attacks targeting Microsoft in 2022 and 2023. Reputation changes with cloud services that can impact a customer organization. New vulnerabilities or attacks targeting specific cloud workloads or types of services used, such as serverless, Kubernetes, or containers.
Operational threat intelligence is more tactical in nature. It helps inform the Security Operations Center (SOC), threat hunting, DevOps, and other technical teams.
Examples of operational threat intelligence include:
Specific patterns of attacks against cloud resources, including password spraying, misuse of API keys and privileged roles, and deploying and running cryptocurrency miners in containers. Use cloud storage and other services to host and spread malware. CSP logs and event data that may indicate illegal use of resources, unusual access attempts, external communication attempt to extract data or command and control, etc.
Key components of a cloud threat intelligence program
To effectively implement cloud threat intelligence, organizations need the right team and technologies.
A cloud-focused threat intelligence team, depending on the size and capabilities of the organization, should include the following core participants:
Cloud architecture and engineering teams. DevOps. Architecture and security engineering. SOC teams. Dedicated teams and roles for threat intelligence or threat hunting.
Secondary participants may include internal risk management teams and executive leadership. External analysts can also provide threat information and cloud security insights.
To make it easier to build a consistent, usable information base about cloud threats, organizations should implement and monitor the following technologies:
Cloud log generation and aggregation services, such as AWS CloudTrail, Amazon CloudWatch, Azure Monitor, and Google Cloud Logging. Collect network flow data in any major IaaS cloud. Security services that are compatible with CSP environments or provided within CSP environments, such as Microsoft Sentinel, Amazon GuardDuty, or Google Cloud Security Command Center. Any workload protection platforms in use, such as endpoint detection and response tools or cloud-native application protection platforms. Cloud security posture management and cloud access security broker platforms that provide insight and context into both configuration status and reactive cloud behaviors.
Security teams must define use cases and develop integration rules that make the collected data actionable. This helps make informed risk decisions and enables more accurate and targeted investigations in detecting and responding to threats. Creating a dashboard of detected and monitored risk changes over time can also help distill cloud threat information into metrics and KPIs for executives.
Dave Shackelford is founder and principal consultant at Voodoo Security; SANS analyst, instructor, and course author; and Technical Director of GIAC.
